The federal government intends to make finding Trojan horses and
trapdoors on computer systems a "research priority," since the risk is
one that some companies may be facing as a result of hasty year 2000
repair work.

That was the message delivered by Richard Clarke, national coordinator
for security, infrastructure protection and counterterrorism, at a U.S. Commerce Department-sponsored conference on information security
last week.

Clarke said many companies "woke up too late" to the y2k problem and
in the process of doing "quick work" may have allowed malicious code to be implanted in their systems.

A Trojan horse can be as little as two lines of code buried in millions of lines of programming, said Clarke. "Even our best people have difficulty finding a Trojan horse or trapdoor," he said. Trapdoors can be used to gain unauthorized access into a system.

The Clinton administration is seeking $1 billion for information security research and development projects in next year's budget and intends to coordinate its efforts with those of the private sector "so we won't be duplicating what the corporations and the (information technology) industry will be doing on their own," said Clarke.

The security conference was aimed at corporate board members and
auditors -- the people who oversee information technology management
-- to improve information security so as to avoid the risk of damage to the national economy. The conference was held with the help of several professional auditing organizations.

Auditors are being targeted by U.S. officials to help raise information security awareness because of their unique roles in corporations: They interact with the companies' boards of directors and can question whether an enterprise is addressing its information security issues.

"We can cajole the private sector to do the right thing. You can actually scare them to do the right thing," said John Podesta, White House chief of staff, at the first of a series of six conferences aimed at top corporate management. The conferences are being sponsored by the U.S. Commerce Critical Infrastructure Assurance Office.

Podesta also said any solutions to information security problems must
be addressed by the private sector. Regulation, which is widely opposed by industry trade groups, won't work, he said. "Our policy is to support industry, not to overregulate it."

(end of article)

Maybe we should be monitoring more closely those companies that are proving to be more vulnerable to hackers.